Configure User-ID Redistribution
Before you configure User-ID redistribution:
- Plan the redistribution architecture. Some factors to consider are:
- Which firewalls will enforce policies for all users and which firewalls will enforce region- or function-specific policies for a subset of users?
- How many hops does the redistribution sequence require to aggregate all User-ID information? The maximum allowed number of hops is ten.
- How can you minimize the number of firewalls that query the user mapping information sources? The fewer the number of querying firewalls, the lower the processing load is on both the firewalls and sources.
Perform the following steps on the firewalls in the User-ID redistribution sequence.
- Configure the firewall to redistribute User-ID
information.Skip this step if the firewall receives but does not redistribute User-ID information.
- Select DeviceUser IdentificationUser Mapping.
- (Firewalls with multiple virtual systems only)
Select the Location. You must configure the
User-ID settings for each virtual system.You can redistribute information among virtual systems on different firewalls or on the same firewall. In both cases, each virtual system counts as one hop in the redistribution sequence.
- Edit the Palo Alto Networks User-ID Agent Setup and select Redistribution.
- Enter a Collector Name and Pre-Shared Key to identify this firewall or virtual system as a User-ID agent.
- Click OK to save your changes.
- Configure the service route that the firewall uses to
query other firewalls for User-ID information.Skip this step if the firewall receives user mapping information from Windows-based User-ID agents or directly from the information sources (such as directory servers) instead of from other firewalls.
- Select DeviceSetupServices.
- (Firewalls with multiple virtual systems only) Select Global (for a firewall-wide service route) or Virtual Systems (for a virtual system-specific service route), and then configure the service route.
- Click Service Route Configuration, select Customize, and select IPv4 or IPv6 based on your network protocols. Configure the service route for both protocols if your network uses both.
- Select UID Agent and then select the Source Interface and Source Address.
- Click OK twice to save the service route.
- Enable the firewall to respond when other firewalls query
it for User-ID information.Skip this step if the firewall receives but does not redistribute User-ID information.Configure an Interface Management Profile with the User-ID service enabled and assign the profile to a firewall interface.
- Commit and verify your changes.
- Commit your changes to activate them.
- Access the CLI of a firewall that redistributes User-ID information.
- Display all the user mappings by running the following
> show user ip-user-mapping all
- Record the IP address associated with any username.
- Access the CLI of a firewall that receives redistributed User-ID information.
- Display the mapping information and authentication
timestamp for the <ip_address> you recorded:
> show user ip-user-mapping<ip_address> IP address: 192.0.2.0 (vsys1) User: corpdomain\username1 From: UIA Idle Timeout: 10229s Max. TTL: 10229s MFA Timestamp: first(1) - 2016/12/09 08:35:04 Group(s): corpdomain\groupname(621)
Redistribute User-ID Information to Managed Firewalls
Redistribute User-ID Information to Managed Firewalls To ensure all the firewalls that enforce policies and generate reports have the required IP address-to-username mappings and authentication ...
Redistribute User Mappings and Authentication Timestamps
Redistribute User Mappings and Authentication Timestamps Every firewall that enforces user-based policy requires user mapping information. In a large-scale network, instead of configuring all your ...
User-ID Redistribution Using Panorama
User-ID Redistribution Using Panorama One of the key benefits of the Palo Alto Networks firewall is that it can enforce policies and generate reports based ...
Redistribution Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup Redistribution To enable a firewall or virtual system to serve as a User-ID ...
Deploy User-ID in a Large-Scale Network
Deploy User-ID in a Large-Scale Network A large-scale network can have hundreds of information sources that firewalls query to map IP addresses to usernames and ...
Redistribute HIP Reports
Redistribute HIP Reports To ensure consistent Host Information Profile (HIP) policy enforcement and to simplify policy management, you can distribute HIP reports received from the ...
Configure Access to User-ID Agents
Configure Access to User-ID Agents Each firewall and Panorama management server can connect to a maximum of 100 User-ID agents or User-ID redistribution points (or ...
Firewall Deployment for User-ID Redistribution
Firewall Deployment for User-ID Redistribution To aggregate User-ID information, organize the redistribution sequence in layers, where each layer has one or more firewalls. In the ...
User-ID Agent Settings
User-ID Agent Settings Panorama > Managed Collectors > User-ID Agents A Dedicated Log Collector can receive user mappings from up to 100 User-ID agents. The ...